One of the words on everybody's lips these days is “security.” National, job, personal, data — security of all kinds is the topic of countless conversations and news stories. As was the case with Y2K, Africanized killer bees and the horrors of copying LPs onto cassettes, a great deal of the information flying around about threats to our security is complete nonsense, but nonetheless, there are some real dangers out there.
My local newspaper, for example, recently wrapped bundles of papers going to dealers with “scrap” paper — which happened to be printouts of subscribers' credit information. (Haven't you guys ever heard of a shredder?) In the days after that leaked out (and the publisher's subsequent full-page apology), the paper had to field several hundred thousand phone calls, and no one knows how much damage might ensue from the incident. It's hardly a unique occurrence: Almost every week there's a report about some tape or disk or laptop containing personal information about thousands of people being misplaced by, or stolen from, a bank or credit agency. Sometimes, these breaches are the result of criminal intent, but they often occur due to sheer stupidity.
Security is a serious issue to all of us in the recording business, because in a number of ways, we're a tempting target for thieves of all kinds. We've all heard stories of low-level studio employees or band hangers-on e-mailing MP3s of mixes to bootleggers; of break-ins by screwdriver- and wire cutter — carrying thugs who leave behind empty equipment racks; of studio personnel who forget to erase the hard disks in a rented DAW; of masters that are put into a taxicab and never seen again; and of late-night sessions that turn into rounds of Grand Theft Microphone. We need to keep reminding ourselves to keep the doors and equipment cabinets locked, to keep our servers firewalled and our wireless networks encrypted, to turn on the alarm when we leave and to check the credit and credentials of new clients, as well as new employees, lest things go wrong in a session and we lose a lot more than just the cost of the studio time.
In my humble opinion, though, one of the most serious threats to our security these days — besides the RIAA and the clowns in Washington — is the scumbags who have figured out how to use the Internet to implement clever scams against just plain folks like you and me. Con men (and women), swindlers and bunco artists are as old as civilization, but the Internet has made their jobs so much more interesting, easier and more lucrative. The Internet is still young and growing, and not everyone has developed the kind of radar that serves you well when, for example, a sleazebag on the street tries to sell you a Rolex from inside his raincoat.
The Nigerian-dead-bank-manager-leaves-$15M-with-no-heirs scam is so old and hairy it's amazing it's still going around, but I still get several of those a day, some with amusing twists involving Christian missionaries and Russian orphans. There are, of course, the ever-popular penny stocks “due to increase 400 percent!” that you've never heard of, and those urgent notices that someone has tapped into your PayPal or VISA account and put a second name on it — which are designed to get you to contact the fraudster who sent you the notice and give them your confidential information so that they can tap into your account.
Many of these fall under the category of “phishing,” which means (and even if they aren't together any more, I can't imagine the band Phish being happy about this coinage) using a phony but authentic-looking e-mail to get you to disclose your presumably secure information to someone who would very much like to use it to your disadvantage. Some phishing scams are easy to spot and some are not, but a great many of them can be identified if you know where (and take the time) to look: Open up the raw code of the message and look for an originating Web address or a URL under a click-on link, which is different from the organization the message claims to be from. If you find one, it's a scam.
Considering that all Web domains are publicly registered and the names of the registrants are easily available, it's amazing that, even though some phishers are quite skilled at covering their tracks, law enforcement hasn't been able to track down and prosecute more of these jerks — but in fact, there have been very few charges brought against these miscreants. I guess some agencies figure it's more important to keep tabs on people wearing inflammatory T-shirts.
The biggest Internet-related fraud problem in the country today, according to the Federal Trade Commission, is online auction fraud, with a typical loss per incident of more than $1,100. This takes many forms: There's the tried-and-true “ship a brick instead of a computer” gambit; the phony “Xbox case with nothing inside” ploy; and the “you pay by cashier's check and you never hear from them again” trick.
Well, progress, as one great American company used to boast, is our most important product (that was before they shifted the bulk of their operations to financial services), and there's progress on the Internet fraud front, as well. This month, I found out about a new twist that combines a number of these tactics and is aimed at an economic sector that a great many of us belong to: equipment buyers and sellers.
Here's how it works. You have a piece of gear you want to sell at auction on eBay, so you list it. You get a number of bidders, and when the auction ends, you sell the item to the highest bidder. But for quite some time after the auction is over, the eBay IDs of the other bidders, and the prices they bid, stay up on eBay on your item's page.
Now, eBay has a comprehensive set of procedures for dealing with transactions that don't work out for one reason or another. One of these — which is also useful if you have more than one of a certain item to sell —is called Second-Chance Offer. If the highest bidder's transaction goes sour, this gives you the option to sell to one of the other bidders at the price that they bid rather than the highest bid. For the seller, it's a good backup, and for the buyer, it's a good deal because he doesn't have to pay any more than he wanted.
The Second-Chance Offer is made through eBay's Website. You go to a special page and select which losing bidder you want to make the offer to and how long you want the offer to remain open, typically one to three days. Then eBay generates a message to the bidder, telling them the item is available and how to purchase it from you.
The scam involves sending a phony Second-Chance Offer message to the losing bidders that looks like it comes from eBay, but it doesn't. The message includes genuine eBay graphics, complete with all sorts of “seals of verification” and legitimate links to other places on eBay's site. It lays out all sorts of procedures and policies that sound reassuring and just complicated enough to be true: how the transaction is “guaranteed,” how the seller has a whole lot of money in a “purchase-protection account” to make sure the buyer doesn't get ripped off and how the buyer has five days to examine the merchandise and can return it for a full refund if he/she doesn't like it.
The buyer is told that in order to pay for this item, he has to send a Western Union money transfer to the e-mail's sender, which is on Yahoo or Hotmail or some other impossible-to-trace server. The original seller's eBay ID is prominent in the message, but the seller's name (which the buyer doesn't know) has been replaced with a bogus name and the address of a mail drop in a foreign country, London and Rome being two popular locations. To further entice the buyer, the message says that the seller will pay all of the shipping charges and split the fee with the buyer for sending the money transfer, which runs about 9 percent of the total amount.
The notice is even cheeky enough to “warn” the buyer, “Never use Western Union money transfer or money gram to pay a seller which [sic] credibility and payment address was not verified by us. You are most likely to lose your money and never receive the merchandise you paid for. If a seller requires cash transfer and you do not have this kind of purchase protection, please do not participate.”
Of course, the “purchase-protection account” doesn't exist, so when the mark does send a money transfer, the money disappears. The item itself doesn't exist either because it was already sold to someone else — the highest bidder. The mark blames the seller, a nasty dispute follows and the real culprit, wherever he/she is, goes and cashes in the money transfer, while laughing at the idiots trading accusations and insults on eBay. The crooks pick their marks carefully: All of the scams I tracked down involved losing bids of $1,000 or more.
So how did I find out about this? Someone tried to scam the bidders on a piece of gear I sold on eBay. A sharp-eyed Mix reader in California who was the second-highest bidder on the item received one of these bogus messages, and he noticed that the original location of the equipment (Massachusetts) didn't match the address he was supposed to send the money to (London). In fact, because I use my buddy Grumpmeier's name as my eBay ID (and I used to have an ID that was even easier to link to me), he figured out that I was the seller. He wrote me through eBay's messaging service to tell me what was going on, and he also notified eBay's fraud department, plus he wrote all the other bidders on the list to warn them that they might receive a similar message. Because anyone who might have been taken in by this would have first gotten mad at me, he did me almost as much of a favor as he did them.
I tried some Google searches on the address and the modus operandi of the scamsters, and turned up incidents dating back about a year and a half. They have gone after bidders on a collectible 19th-century $5 bill, a Nikon camera, a chip from a defunct Las Vegas casino, a Mesa Boogie amp, a dirt bike, a National steel guitar, a high-profile domain name and a sarrusophone, which is a rare, mid-19th-century musical instrument that's an unfortunate cross between a saxophone and a contrabassoon. Sarrusophone aficionados are, as you might imagine, a small and relatively tight group, and word got around quickly, so none of them fell for it.
Are there ways we can make ourselves secure against this sort of thing? Well, there are certainly things that governments and the corporate world can do. In January 2006, the British division of eBay announced that it would no longer recognize wire transfers as a legitimate form of payment. Of course, that means more business for eBay's wholly owned subsidiary PayPal, but in truth, PayPal has a lot fewer security holes. It would be nice if some state attorney general would generate a little publicity about this scam so that the media might pick it up. And it might be good if some of that enormous amount of money being spent on “homeland security” could be used to chase down these crumbs and put them behind bars.
But the scamsters' most potent weapon is what's called “social engineering”: figuring out how to make suckers bite. And no technology or law can protect us from our own carelessness and gullibility. As Sgt. Phil always said to the Hill Street cops, “Let's be careful out there.”
The main reason schemes like this succeed is that we let them: Too many of us accept the things we're handed at face value without the proper examination and skepticism. It's true whether we're being told we can get an unanticipated bargain on a piece of gear, or we will be rewarded with a veritable fortune just for being nice to a stranger, or that by waging eternal war on an invisible enemy we will achieve world peace. As long as we are willing to get fooled and fooled again, those who would compromise our security will always find a target.
Watch for Paul Lehrman's film Bad Boy Made Good on PBS stations in New Jersey and Washington, D.C., this month. It sounds like it's about eBay scams, but it's not.